1*2d543d20SAndroid Build Coastguard WorkerConditional Statements 2*2d543d20SAndroid Build Coastguard Worker====================== 3*2d543d20SAndroid Build Coastguard Worker 4*2d543d20SAndroid Build Coastguard Workerboolean 5*2d543d20SAndroid Build Coastguard Worker------- 6*2d543d20SAndroid Build Coastguard Worker 7*2d543d20SAndroid Build Coastguard WorkerDeclares a run time boolean as true or false in the current namespace. The [`booleanif`](cil_conditional_statements.md#booleanif) statement contains the CIL code that will be in the binary policy file. 8*2d543d20SAndroid Build Coastguard Worker 9*2d543d20SAndroid Build Coastguard Worker[`boolean`](cil_conditional_statements.md#boolean) are not allowed in [`booleanif`](cil_conditional_statements.md#booleanif) blocks. 10*2d543d20SAndroid Build Coastguard Worker 11*2d543d20SAndroid Build Coastguard Worker**Statement definition:** 12*2d543d20SAndroid Build Coastguard Worker 13*2d543d20SAndroid Build Coastguard Worker```secil 14*2d543d20SAndroid Build Coastguard Worker (boolean boolean_id true|false) 15*2d543d20SAndroid Build Coastguard Worker``` 16*2d543d20SAndroid Build Coastguard Worker 17*2d543d20SAndroid Build Coastguard Worker**Where:** 18*2d543d20SAndroid Build Coastguard Worker 19*2d543d20SAndroid Build Coastguard Worker<table> 20*2d543d20SAndroid Build Coastguard Worker<colgroup> 21*2d543d20SAndroid Build Coastguard Worker<col width="25%" /> 22*2d543d20SAndroid Build Coastguard Worker<col width="75%" /> 23*2d543d20SAndroid Build Coastguard Worker</colgroup> 24*2d543d20SAndroid Build Coastguard Worker<tbody> 25*2d543d20SAndroid Build Coastguard Worker<tr class="odd"> 26*2d543d20SAndroid Build Coastguard Worker<td align="left"><p><code>boolean</code></p></td> 27*2d543d20SAndroid Build Coastguard Worker<td align="left"><p>The <code>boolean</code> keyword.</p></td> 28*2d543d20SAndroid Build Coastguard Worker</tr> 29*2d543d20SAndroid Build Coastguard Worker<tr class="even"> 30*2d543d20SAndroid Build Coastguard Worker<td align="left"><p><code>boolean_id</code></p></td> 31*2d543d20SAndroid Build Coastguard Worker<td align="left"><p>The <code>boolean</code> identifier.</p></td> 32*2d543d20SAndroid Build Coastguard Worker</tr> 33*2d543d20SAndroid Build Coastguard Worker<tr class="odd"> 34*2d543d20SAndroid Build Coastguard Worker<td align="left"><p><code>true | false</code></p></td> 35*2d543d20SAndroid Build Coastguard Worker<td align="left"><p>The initial state of the boolean. This can be changed at run time using <strong><code>setsebool</code></strong><code>(8)</code> and its status queried using <strong><code>getsebool</code></strong><code>(8)</code>.</p></td> 36*2d543d20SAndroid Build Coastguard Worker</tr> 37*2d543d20SAndroid Build Coastguard Worker</tbody> 38*2d543d20SAndroid Build Coastguard Worker</table> 39*2d543d20SAndroid Build Coastguard Worker 40*2d543d20SAndroid Build Coastguard Worker**Example:** 41*2d543d20SAndroid Build Coastguard Worker 42*2d543d20SAndroid Build Coastguard WorkerSee the [`booleanif`](cil_conditional_statements.md#booleanif) statement for an example. 43*2d543d20SAndroid Build Coastguard Worker 44*2d543d20SAndroid Build Coastguard Workerbooleanif 45*2d543d20SAndroid Build Coastguard Worker--------- 46*2d543d20SAndroid Build Coastguard Worker 47*2d543d20SAndroid Build Coastguard WorkerContains the run time conditional statements that are instantiated in the binary policy according to the computed boolean identifier(s) state. 48*2d543d20SAndroid Build Coastguard Worker 49*2d543d20SAndroid Build Coastguard Worker[`call`](cil_call_macro_statements.md#call) statements are allowed within a [`booleanif`](cil_conditional_statements.md#booleanif), however the contents of the resulting macro must be limited to those of the [`booleanif`](cil_conditional_statements.md#booleanif) statement (i.e. [`allow`](cil_access_vector_rules.md#allow), [`auditallow`](cil_access_vector_rules.md#auditallow), [`dontaudit`](cil_access_vector_rules.md#dontaudit), [`typemember`](cil_type_statements.md#typemember), [`typetransition`](cil_type_statements.md#typetransition), [`typechange`](cil_type_statements.md#typechange) and the compile time [`tunableif`](cil_conditional_statements.md#tunableif) statement)). 50*2d543d20SAndroid Build Coastguard Worker 51*2d543d20SAndroid Build Coastguard Worker**Statement definition:** 52*2d543d20SAndroid Build Coastguard Worker 53*2d543d20SAndroid Build Coastguard Worker```secil 54*2d543d20SAndroid Build Coastguard Worker (booleanif boolean_id | expr ... 55*2d543d20SAndroid Build Coastguard Worker (true 56*2d543d20SAndroid Build Coastguard Worker cil_statements 57*2d543d20SAndroid Build Coastguard Worker ...) 58*2d543d20SAndroid Build Coastguard Worker (false 59*2d543d20SAndroid Build Coastguard Worker cil_statements 60*2d543d20SAndroid Build Coastguard Worker ...) 61*2d543d20SAndroid Build Coastguard Worker ) 62*2d543d20SAndroid Build Coastguard Worker``` 63*2d543d20SAndroid Build Coastguard Worker 64*2d543d20SAndroid Build Coastguard Worker**Where:** 65*2d543d20SAndroid Build Coastguard Worker 66*2d543d20SAndroid Build Coastguard Worker<table> 67*2d543d20SAndroid Build Coastguard Worker<colgroup> 68*2d543d20SAndroid Build Coastguard Worker<col width="25%" /> 69*2d543d20SAndroid Build Coastguard Worker<col width="75%" /> 70*2d543d20SAndroid Build Coastguard Worker</colgroup> 71*2d543d20SAndroid Build Coastguard Worker<tbody> 72*2d543d20SAndroid Build Coastguard Worker<tr class="odd"> 73*2d543d20SAndroid Build Coastguard Worker<td align="left"><p><code>booleanif</code></p></td> 74*2d543d20SAndroid Build Coastguard Worker<td align="left"><p>The <code>booleanif</code> keyword.</p></td> 75*2d543d20SAndroid Build Coastguard Worker</tr> 76*2d543d20SAndroid Build Coastguard Worker<tr class="even"> 77*2d543d20SAndroid Build Coastguard Worker<td align="left"><p><code>boolean_id</code></p></td> 78*2d543d20SAndroid Build Coastguard Worker<td align="left"><p>Either a single <code>boolean</code> identifier or one or more <code>expr</code>'s.</p></td> 79*2d543d20SAndroid Build Coastguard Worker</tr> 80*2d543d20SAndroid Build Coastguard Worker<tr class="odd"> 81*2d543d20SAndroid Build Coastguard Worker<td align="left"><p><code>expr</code></p></td> 82*2d543d20SAndroid Build Coastguard Worker<td align="left"><p>Zero or more <code>expr</code>'s, the valid operators and syntax are:</p> 83*2d543d20SAndroid Build Coastguard Worker<p><code> (and boolean_id boolean_id)</code></p> 84*2d543d20SAndroid Build Coastguard Worker<p><code> (or boolean_id boolean_id)</code></p> 85*2d543d20SAndroid Build Coastguard Worker<p><code> (xor boolean_id boolean_id)</code></p> 86*2d543d20SAndroid Build Coastguard Worker<p><code> (eq boolean_id boolean_id)</code></p> 87*2d543d20SAndroid Build Coastguard Worker<p><code> (neq boolean_id boolean_id)</code></p> 88*2d543d20SAndroid Build Coastguard Worker<p><code> (not boolean_id)</code></p></td> 89*2d543d20SAndroid Build Coastguard Worker</tr> 90*2d543d20SAndroid Build Coastguard Worker<tr class="even"> 91*2d543d20SAndroid Build Coastguard Worker<td align="left"><p><code>true</code></p></td> 92*2d543d20SAndroid Build Coastguard Worker<td align="left"><p>An optional set of CIL statements that will be instantiated when the <code>boolean</code> is evaluated as <code>true</code>.</p></td> 93*2d543d20SAndroid Build Coastguard Worker</tr> 94*2d543d20SAndroid Build Coastguard Worker<tr class="odd"> 95*2d543d20SAndroid Build Coastguard Worker<td align="left"><p><code>false</code></p></td> 96*2d543d20SAndroid Build Coastguard Worker<td align="left"><p>An optional set of CIL statements that will be instantiated when the <code>boolean</code> is evaluated as <code>false</code>.</p></td> 97*2d543d20SAndroid Build Coastguard Worker</tr> 98*2d543d20SAndroid Build Coastguard Worker</tbody> 99*2d543d20SAndroid Build Coastguard Worker</table> 100*2d543d20SAndroid Build Coastguard Worker 101*2d543d20SAndroid Build Coastguard Worker**Examples:** 102*2d543d20SAndroid Build Coastguard Worker 103*2d543d20SAndroid Build Coastguard WorkerThe second example also shows the kernel policy language equivalent: 104*2d543d20SAndroid Build Coastguard Worker 105*2d543d20SAndroid Build Coastguard Worker```secil 106*2d543d20SAndroid Build Coastguard Worker (boolean disableAudio false) 107*2d543d20SAndroid Build Coastguard Worker 108*2d543d20SAndroid Build Coastguard Worker (booleanif disableAudio 109*2d543d20SAndroid Build Coastguard Worker (false 110*2d543d20SAndroid Build Coastguard Worker (allow process mediaserver.audio_device (chr_file_set (rw_file_perms))) 111*2d543d20SAndroid Build Coastguard Worker ) 112*2d543d20SAndroid Build Coastguard Worker ) 113*2d543d20SAndroid Build Coastguard Worker 114*2d543d20SAndroid Build Coastguard Worker (boolean disableAudioCapture false) 115*2d543d20SAndroid Build Coastguard Worker 116*2d543d20SAndroid Build Coastguard Worker ;;; if(!disableAudio && !disableAudioCapture) { 117*2d543d20SAndroid Build Coastguard Worker (booleanif (and (not disableAudio) (not disableAudioCapture)) 118*2d543d20SAndroid Build Coastguard Worker (true 119*2d543d20SAndroid Build Coastguard Worker (allow process mediaserver.audio_capture_device (chr_file_set (rw_file_perms))) 120*2d543d20SAndroid Build Coastguard Worker ) 121*2d543d20SAndroid Build Coastguard Worker ) 122*2d543d20SAndroid Build Coastguard Worker``` 123*2d543d20SAndroid Build Coastguard Worker 124*2d543d20SAndroid Build Coastguard Workertunable 125*2d543d20SAndroid Build Coastguard Worker------- 126*2d543d20SAndroid Build Coastguard Worker 127*2d543d20SAndroid Build Coastguard WorkerTunables are similar to booleans, however they are used to manage areas of CIL statements that may or may not be in the final CIL policy that will be compiled (whereas booleans are embedded in the binary policy and can be enabled or disabled during run-time). 128*2d543d20SAndroid Build Coastguard Worker 129*2d543d20SAndroid Build Coastguard WorkerNote that tunables can be treated as booleans by the CIL compiler command line parameter `-P` or `--preserve-tunables` flags. 130*2d543d20SAndroid Build Coastguard Worker 131*2d543d20SAndroid Build Coastguard WorkerSince [`tunableif`](cil_conditional_statements.md#tunableif) statements are resolved first, [`tunable`](cil_conditional_statements.md#tunable) statements are not allowed in [`in`](cil_container_statements.md#in), [`macro`](cil_call_macro_statements.md#macro), [`optional`](cil_container_statements.md#optional), and [`booleanif`](cil_conditional_statements.md#booleanif) blocks. To simplify processing, they are also not allowed in [`tunableif`](cil_conditional_statements.md#tunableif) blocks. 132*2d543d20SAndroid Build Coastguard Worker 133*2d543d20SAndroid Build Coastguard Worker**Statement definition:** 134*2d543d20SAndroid Build Coastguard Worker 135*2d543d20SAndroid Build Coastguard Worker```secil 136*2d543d20SAndroid Build Coastguard Worker (tunable tunable_id true|false) 137*2d543d20SAndroid Build Coastguard Worker``` 138*2d543d20SAndroid Build Coastguard Worker 139*2d543d20SAndroid Build Coastguard Worker**Where:** 140*2d543d20SAndroid Build Coastguard Worker 141*2d543d20SAndroid Build Coastguard Worker<table> 142*2d543d20SAndroid Build Coastguard Worker<colgroup> 143*2d543d20SAndroid Build Coastguard Worker<col width="25%" /> 144*2d543d20SAndroid Build Coastguard Worker<col width="75%" /> 145*2d543d20SAndroid Build Coastguard Worker</colgroup> 146*2d543d20SAndroid Build Coastguard Worker<tbody> 147*2d543d20SAndroid Build Coastguard Worker<tr class="odd"> 148*2d543d20SAndroid Build Coastguard Worker<td align="left"><p><code>tunable</code></p></td> 149*2d543d20SAndroid Build Coastguard Worker<td align="left"><p>The <code>tunable</code> keyword.</p></td> 150*2d543d20SAndroid Build Coastguard Worker</tr> 151*2d543d20SAndroid Build Coastguard Worker<tr class="even"> 152*2d543d20SAndroid Build Coastguard Worker<td align="left"><p><code>tunable_id</code></p></td> 153*2d543d20SAndroid Build Coastguard Worker<td align="left"><p>The <code>tunable</code> identifier.</p></td> 154*2d543d20SAndroid Build Coastguard Worker</tr> 155*2d543d20SAndroid Build Coastguard Worker<tr class="odd"> 156*2d543d20SAndroid Build Coastguard Worker<td align="left"><p><code>true | false</code></p></td> 157*2d543d20SAndroid Build Coastguard Worker<td align="left"><p>The initial state of the <code>tunable</code>.</p></td> 158*2d543d20SAndroid Build Coastguard Worker</tr> 159*2d543d20SAndroid Build Coastguard Worker</tbody> 160*2d543d20SAndroid Build Coastguard Worker</table> 161*2d543d20SAndroid Build Coastguard Worker 162*2d543d20SAndroid Build Coastguard Worker**Example:** 163*2d543d20SAndroid Build Coastguard Worker 164*2d543d20SAndroid Build Coastguard WorkerSee the [`tunableif`](cil_conditional_statements.md#tunableif) statement for an example. 165*2d543d20SAndroid Build Coastguard Worker 166*2d543d20SAndroid Build Coastguard Workertunableif 167*2d543d20SAndroid Build Coastguard Worker--------- 168*2d543d20SAndroid Build Coastguard Worker 169*2d543d20SAndroid Build Coastguard WorkerCompile time conditional statement that may or may not add CIL statements to be compiled. 170*2d543d20SAndroid Build Coastguard Worker 171*2d543d20SAndroid Build Coastguard WorkerIf tunables are being treated as booleans (by using the CIL compiler command line parameter `-P` or `--preserve-tunables` flag), then only the statements allowed in a [`booleanif`](cil_conditional_statements.md#booleanif) block are allowed in a [`tunableif`](cil_conditional_statements.md#tunableif) block. Otherwise, [`tunable`](cil_conditional_statements.md#tunable) statements are not allowed in a [`tunableif`](cil_conditional_statements.md#tunableif) block. 172*2d543d20SAndroid Build Coastguard Worker 173*2d543d20SAndroid Build Coastguard Worker**Statement definition:** 174*2d543d20SAndroid Build Coastguard Worker 175*2d543d20SAndroid Build Coastguard Worker```secil 176*2d543d20SAndroid Build Coastguard Worker (tunableif tunable_id | expr ... 177*2d543d20SAndroid Build Coastguard Worker (true 178*2d543d20SAndroid Build Coastguard Worker cil_statements 179*2d543d20SAndroid Build Coastguard Worker ...) 180*2d543d20SAndroid Build Coastguard Worker (false 181*2d543d20SAndroid Build Coastguard Worker cil_statements 182*2d543d20SAndroid Build Coastguard Worker ...) 183*2d543d20SAndroid Build Coastguard Worker ) 184*2d543d20SAndroid Build Coastguard Worker``` 185*2d543d20SAndroid Build Coastguard Worker 186*2d543d20SAndroid Build Coastguard Worker**Where:** 187*2d543d20SAndroid Build Coastguard Worker 188*2d543d20SAndroid Build Coastguard Worker<table> 189*2d543d20SAndroid Build Coastguard Worker<colgroup> 190*2d543d20SAndroid Build Coastguard Worker<col width="25%" /> 191*2d543d20SAndroid Build Coastguard Worker<col width="75%" /> 192*2d543d20SAndroid Build Coastguard Worker</colgroup> 193*2d543d20SAndroid Build Coastguard Worker<tbody> 194*2d543d20SAndroid Build Coastguard Worker<tr class="odd"> 195*2d543d20SAndroid Build Coastguard Worker<td align="left"><p><code>tunableif</code></p></td> 196*2d543d20SAndroid Build Coastguard Worker<td align="left"><p>The <code>tunableif</code> keyword.</p></td> 197*2d543d20SAndroid Build Coastguard Worker</tr> 198*2d543d20SAndroid Build Coastguard Worker<tr class="even"> 199*2d543d20SAndroid Build Coastguard Worker<td align="left"><p><code>tunable_id</code></p></td> 200*2d543d20SAndroid Build Coastguard Worker<td align="left"><p>Either a single <code>tunable</code> identifier or one or more <code>expr</code>'s.</p></td> 201*2d543d20SAndroid Build Coastguard Worker</tr> 202*2d543d20SAndroid Build Coastguard Worker<tr class="odd"> 203*2d543d20SAndroid Build Coastguard Worker<td align="left"><p><code>expr</code></p></td> 204*2d543d20SAndroid Build Coastguard Worker<td align="left"><p>Zero or more <code>expr</code>'s, the valid operators and syntax are:</p> 205*2d543d20SAndroid Build Coastguard Worker<p><code> (and tunable_id tunable_id)</code></p> 206*2d543d20SAndroid Build Coastguard Worker<p><code> (or tunable_id tunable_id)</code></p> 207*2d543d20SAndroid Build Coastguard Worker<p><code> (xor tunable_id tunable_id)</code></p> 208*2d543d20SAndroid Build Coastguard Worker<p><code> (eq tunable_id tunable_id)</code></p> 209*2d543d20SAndroid Build Coastguard Worker<p><code> (neq tunable_id tunable_id)</code></p> 210*2d543d20SAndroid Build Coastguard Worker<p><code> (not tunable_id)</code></p></td> 211*2d543d20SAndroid Build Coastguard Worker</tr> 212*2d543d20SAndroid Build Coastguard Worker<tr class="even"> 213*2d543d20SAndroid Build Coastguard Worker<td align="left"><p><code>true</code></p></td> 214*2d543d20SAndroid Build Coastguard Worker<td align="left"><p>An optional set of CIL statements that will be instantiated when the <code>tunable</code> is evaluated as <code>true</code>.</p></td> 215*2d543d20SAndroid Build Coastguard Worker</tr> 216*2d543d20SAndroid Build Coastguard Worker<tr class="odd"> 217*2d543d20SAndroid Build Coastguard Worker<td align="left"><p><code>false</code></p></td> 218*2d543d20SAndroid Build Coastguard Worker<td align="left"><p>An optional set of CIL statements that will be instantiated when the <code>tunable</code> is evaluated as <code>false</code>.</p></td> 219*2d543d20SAndroid Build Coastguard Worker</tr> 220*2d543d20SAndroid Build Coastguard Worker</tbody> 221*2d543d20SAndroid Build Coastguard Worker</table> 222*2d543d20SAndroid Build Coastguard Worker 223*2d543d20SAndroid Build Coastguard Worker**Example:** 224*2d543d20SAndroid Build Coastguard Worker 225*2d543d20SAndroid Build Coastguard WorkerThis example will not add the range transition rule to the binary policy: 226*2d543d20SAndroid Build Coastguard Worker 227*2d543d20SAndroid Build Coastguard Worker```secil 228*2d543d20SAndroid Build Coastguard Worker (tunable range_trans_rule false) 229*2d543d20SAndroid Build Coastguard Worker 230*2d543d20SAndroid Build Coastguard Worker (block init 231*2d543d20SAndroid Build Coastguard Worker (class process (process)) 232*2d543d20SAndroid Build Coastguard Worker (type process) 233*2d543d20SAndroid Build Coastguard Worker 234*2d543d20SAndroid Build Coastguard Worker (tunableif range_trans_rule 235*2d543d20SAndroid Build Coastguard Worker (true 236*2d543d20SAndroid Build Coastguard Worker (rangetransition process sshd.exec process low_high) 237*2d543d20SAndroid Build Coastguard Worker ) 238*2d543d20SAndroid Build Coastguard Worker ) ; End tunableif 239*2d543d20SAndroid Build Coastguard Worker ) ; End block 240*2d543d20SAndroid Build Coastguard Worker``` 241